Payment cards: Top target in data breach attacks

More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.

Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations report found.

The top five breaches accounted for 93 per cent of total records compromised and as a percentage of caseload, 80 per cent were payment card breaches while payment card data represented 98 per cent of all records compromised last year.

PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victims' accounts.

PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year.

More than three-quarters of organisations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organisation had met less than a third of the requirements in the standards, the report found.

Of the total breaches, 75 per cent came from external sources, 39 per cent involved multiple parties, 32 per cent involved business partners and in 20 per cent of the cases insiders were implicated. Three-quarters of the breaches were undiscovered and uncontained for weeks or months.

As far as types of breaches, 64 per cent resulted from malicious hacking, 38 per cent used malware, 22 per cent involved privileged misuse, and nine per cent used physical attacks such as equipment theft or tampering.

In about four out of 10 hacking-related breaches, an attacker gained unauthorised access to the victim via one of the many types of remote access and management software, typically provisioned to third parties for remote administration.

During 2008, malware was involved in more than a third of the cases investigated and contributed to nine out of 10 of all records breached.

"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door but malware gets him the data."

This chart shows threat categories by per cent of breaches (black) and records (red). Credit: Verizon

Original article: Report: Payment card data was top target in 2008 from CNET News.com